Description
Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. The affected endpoints in api_setup.class.php and api_multicurrencies.class.php validate sqlfilters only for balanced parentheses and rewrite matched triplets, allowing text placed outside the expected shape such as an appended UNION SELECT to be concatenated into the SQL WHERE clause unmodified, enabling retrieval of sensitive data including password hashes and API keys.
Published: 2026-06-30
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dolibarr versions through 23.0.3 contain a flaw in the handling of the sqlfilters parameter used by several REST API list endpoints. The implementation only checks that parentheses are balanced and rewrites matched triplets, but it fails to sanitize or constrain additional input. As a result, an attacker who has gained authenticated access to the API can append malicious SQL fragments, such as UNION SELECT expressions, directly into the generated WHERE clause. This enables the attacker to retrieve arbitrary rows from any database table, including those holding password hashes and API keys. The vulnerability falls under CWE‑89 and is classified as a standard SQL injection that leads to unauthorized data disclosure.

Affected Systems

The affected product is Dolibarr ERP/CRM, all releases up to and including version 23.0.3. The issue was fixed by commit 14db36e, and the vulnerability should be addressed by upgrading to a patched build or by applying the corresponding back‑port. Customer sites that cannot immediately update should be aware that any authenticated API user can exploit the flaw.

Risk and Exploitability

With a CVSS score of 7.2 the vulnerability poses high risk to confidentiality; however, it requires an existing authenticated API credential. Because EPSS data is not available and the error is not listed in CISA’s KEV catalog, the public exploitation probability is not precisely quantified, but the high severity and the ease of input manipulation imply that the risk is significant. Attackers could exfiltrate sensitive data by sending crafted requests to the affected endpoints. Therefore, users should consider the vulnerability high priority and act promptly.

Generated by OpenCVE AI on June 30, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched Dolibarr release that contains commit 14db36e.
  • If a patch cannot be applied immediately, block or remove the sqlfilters parameter from API requests to prevent injection.
  • Restrict API user permissions to the minimum required and rotate credentials for accounts that are not needed.

Generated by OpenCVE AI on June 30, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. The affected endpoints in api_setup.class.php and api_multicurrencies.class.php validate sqlfilters only for balanced parentheses and rewrite matched triplets, allowing text placed outside the expected shape such as an appended UNION SELECT to be concatenated into the SQL WHERE clause unmodified, enabling retrieval of sensitive data including password hashes and API keys.
Title Dolibarr - SQL Injection via sqlfilters Parameter in Multiple REST API List Endpoints
First Time appeared Dolibarr
Dolibarr dolibarr Erp\/crm
Weaknesses CWE-89
CPEs cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:*
Vendors & Products Dolibarr
Dolibarr dolibarr Erp\/crm
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Dolibarr Dolibarr Erp\/crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T17:46:09.270Z

Reserved: 2026-06-30T12:43:19.294Z

Link: CVE-2026-58376

cve-icon Vulnrichment

Updated: 2026-06-30T17:41:06.351Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:45:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')